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Abstract. We propose a novel algorithm for automata-based LTL model check¬ 
ing that interleaves the construction of the generalized Biichi automaton for the 
negation of the formula and the emptiness check. Our algorithm first converts the 
LTL formula into a linear weak alternating automaton; configurations of the alter¬ 
nating automaton correspond to the locations of a generalized Biichi automaton, 
and a variant of Tarjan’s algorithm is used to decide the existence of an accept¬ 
ing run of the product of the transition system and the automaton. Because we 
avoid an explicit construction of the Biichi automaton, our approach can yield 
significant improvements in runtime and memory, for large LTL formulas. The 
algorithm has been implemented within the SPIN model checker, and we present 
experimental results for some benchmark examples. 


1 Introduction 

The automata-based approach to linear-time temporal logic (LTL) model checking re¬ 
duces the problem of deciding whether a formula (p holds of a transition system T 
into two subproblems: first, one constructs an automaton that accepts precisely 
the models of -i(p. Second, one uses graph-theoretical algorithms to decide whether the 
product of T and admits an accepting run; this is the case if and only if tp does not 
hold of T. On-the-fly algorithms [H avoid an explicit construction of the product and 
are commonly used to decide the second problem. However, the construction of a non- 
deterministic Biichi (or generalized Biichi) automaton is already of complexity ex¬ 
ponential in the length of (p, and several algorithms have been suggested [pPlpP, |l8|J^ 
that improve on the classical method for computing Biichi automata [^. Still, there 
are applications, for example when verifying liveness properties over predicate abstrac¬ 
tions where the construction of A-,,p takes a significant fraction of the overall ver¬ 
ification time. The relative cost of computing is particularly high when (p does not 
hold of T, because acceptance cycles are often found rather quickly when they exist. 

In this paper we suggest an algorithm for LTL model checking that interleaves the 
construction of (a structure equivalent to) the automaton and the test for non-emptiness. 
Technically, the input to our algorithm is a transition system T and a linear weak alter¬ 
nating automaton (LWAA, alternatively known as a very weak alternating automaton) 
corresponding to -i(p. The size of the LWAA is linear in the length of the LTL formula, 
and the time for its generation is insignificant. It can be considered as a symbolic repre¬ 
sentation of the corresponding generalized Biichi automaton (GBA). LWAA have also 



been employed as an intermediate format in the algorithms suggested by Gastin and 
Oddoux [0, Fritz [|[], and Schneider JT^. Our main contribution is the identification of 
a class of “simple” LWAA whose acceptance criterion is defined in terms of the sets of 
locations activated during a run, rather than the standard criterion in terms of automa¬ 
ton transitions. To explore the product of the transition system and the configuration 
graph of the LWAA, we employ a variant of Tarjan’s algorithm to search for a strongly 
connected component that satisfies the automaton’s acceptance condition. 

We have implemented the proposed algorithm as an alternative verification method 
in the Spin model checker [|T^, and we discuss some implementation options and report 
on experimental results. Our implementation is available for download at http: / /www. 
pst.ifi.lmu.de/projekte/lwaaspin/. 

2 LTL and linear weak alternating automata 

We define alternating o-automata, especially LWAA, and present the translation from 
propositional linear-time temporal logic LTL to LWAA. Throughout, we assume a fixed 
finite set ‘U of atomic propositions. 

2.1 Linear weak alternating automata 

We consider automata that operate on temporal structures, i.e. co-sequences of valu¬ 
ations of 'F. Alternating automata combine the existential branching mode of non- 
deterministic automata (i.e., choice) with its dual, universal branching, where several 
successor locations are activated simultaneously. We present the transitions of alternat¬ 
ing automata by associating with every location q&Qa propositional formula d{q) over 
■F and Q. For example, we interpret 

Hqi) = (vA^ 2 A (^1 V^a)) V (-iwA^i) V w 

as asserting that if location qi is currently active and the current input satisfies v then 
the automaton should simultaneously activate the locations qi and either or ^ 3 . If the 
input satisfies -iw then q\ should be activated. If the input satisfies w then no successor 
locations need to be activated from q\. Otherwise (i.e., if the input satisfies -iv), the au¬ 
tomaton blocks because the transition formula can not be satisfied. At any point during 
a run, a set of automaton locations (a configuration) will be active, and transitions are 
required to satisfy the transition formulas of all active locations. Locations q G Q may 
only occur positively in transition formulas: locations cannot be inhibited. We use the 
following generic definition of alternating ©-automata: 

Definition 1. An alternating ©-automaton is a tuple A = (2,q'o,5,Acc) where 

- Q is a finite set (of locations) where QH F =0, 

- qo G Q is the initial location, 

- 5 : 2 ^ ® (2 U F) A the transition function that associates a propositional formula 
5{q) with every location q G Q; locations in Q can only occur positively in 5{q), 

- and Acc C 2™ is the acceptance condition. 
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(a) Transition graph. 
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(b) Prefix of run dag with configurations. 


Fig. 1. Visualization of alternating automata and run dags. 


When the transition formulas 5(^) are written in disjunctive normal form, the alter¬ 
nating automaton can be visualized as a hypergraph. For example. Fig. 1(a) shows an 
alternating o-automaton and illustrates the above transition formula. We write q ^ q' 
if q may activate q', i.e. if q' appears in ?>{q). 

Runs of an alternating ©-automaton over a temporal structure a = sqsi ... are not 
just sequences of locations but give rise to trees, due to universal branching. However, 
different copies of the same target location can b e ide ntified, and we obtain a more 
economical dag representation as illustrated in Fig. 1(b) : the vertical “slices” of the dag 
represent configurations that are active before reading the next input state. 

We identify a set and the Boolean valuation that makes true precisely the elements 
of the set. For example, we say that the sets {v,w,q 2 ,q 3 } and {w} satisfy the formula 
5 (^1) above. For a relation r C 5 x F, we denote its domain by dom(r). We denote the 
image of a set A C 5 under r by r(A); for x £ 5 we sometimes write r{x) for r({x}). 


Definition 2. Let J? = (2,^o,5,Acc) be an alternating (H-automaton and O = so^i ■ ■ ■. 
where Si it , be a temporal structure. A run dag of Ji over a is represented by the 
(O-sequence A = eo^l ■ ■ ■ of its edges e,- C g x Q. The configurations cqci ... of A, where 
Ci C Q, are inductively defined by cq = {^o} and c,+i = efct). We require that for all 
i £ N, dom(e,) C Ci and that for all q £ c,-, the valuation SiUei{q) satisfies 5{q). A finite 
run dag is a finite prefix of a run dag. 

A path in a run dag A is a (finite or infinite) sequence 7t = popi... of locations pi £ Q 
such that po = qo and {pi,Pi+i) £ etfor all i. A run dag A is accepting iffii £ Acc holds 
for all infinite paths 7t in A. The language T (.;?) is the set of words that admit some 
accepting run dag. 

Because locations do not occur negatively in transition formulas ?){q), it is easy to 
see that whenever Si UX satisfies d{q) for some set X of locations, then so does st U Y 
for any superset Y of X. However, the dag resulting from replacing A by F will have 
more paths, making the acceptance condition harder to satisfy. It is therefore enough to 
consider only run dags that arise from minimal models of the transition formulas w.r.t. 
the states of the temporal structure, activating as few successor locations as possible. 



















LWAA are alternating co-automata whose accessibility relation determines a partial 
order; q' is reachable from q only if q' is smaller or at most equal to q. We are interested 
in LWAA with a co-Biichi acceptance condition; 

Definitions. A (co-Biichi) linear weak alternating automaton SI = {Q,qo,5,F) is a 
tuple where Q, qo, and 5 are as in Def. ^ and F C Q is a set of locations, such that 

- the relation defined by q' q iff q —>* q' is a partial order on Q and 

- the acceptance condition is given by 

Acc = {popi ... G 2™ ; Pi G F for only finitely many i G N}. 

In particular, the hypergraph of the transitions of an LWAA does not contain cy¬ 
cles other than self-loops, and run dags of LWAA do not contain “rising edges” as 
in Fig. 1^ It follows that every infinite path eventually remains stable at some loca¬ 
tion q, and the acceptance condition requires that qfiF holds for that “limit location”. 
LWAA characterize precisely the class of star-free ©-regular languages, which corre¬ 
spond to first-order definable ©-languages and therefore also to the languages definable 
by propositional LTL formulas [ [T^^ . 

2.2 From LTL to LWAA 

Formulas of LTL (over atomic propositions in 'F) are built using the connectives of 
propositional logic and the temporal operators X (next) and U (until). They are inter¬ 
preted over a temporal structure o = sqSi ... G ( 2 ’’^)“ as follows; we write o|, to denote 
the suffix s,s,+i... of o from state sy. 

<3\= p iff p G io O 1= 9 A \(/ iff O 1= tp and O |= tp 

o 1 =-itp iff 0^9 o|=X 9 iff a|i |=9 

o 1= 9 U \|/ iff for some i G N, a|,: 1= i|/ and for all j < b a|; ^ 9 

We freely use the standard derived operators of propositional logic and the following 
derived temporal connectives; 

F 9 = true U 9 (eventually 9 ) 

G 9 = -'F -19 (always 9 ) 

9 V\|/ = -'(-'9 U-iij/) (9 releases \|/) 

An LTL formula 9 can be understood as defining the language 

A (9) = {aG(2^)“;ah9}, 

and the automata-theoretic approach to model checking builds on this identification of 
formulas and languages, via an effective construction of automata accepting the 
language L ( 9 ). The definition of an LWAA J?,p is particularly simple [[l5|]; without loss 
of generality, we assume that LTL formulas are given in negation normal form (i.e., 
negation is applied only to propositions), and therefore include clauses for the dual op¬ 
erators V and V. The automaton is Slip = {Q,q(p,5,F) where Q contains a location q-tp 
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(a) Transition formulas of J?(p 



Fig. 2. Translation of LTL formulas into LWAA. 


for every subformula \|/ of (p , wit h q^, being the initial location. The transition formu¬ 
las 5(^y) are defined in Fig. |2(a)| ; in particular, LTL operators are simply decomposed 
according to their fixpoint characterizations. The set F of co-final locations consists of 
all locations ^v|/ux £ Q that correspond to “until” subformulas of (p. It is easy to verify 
that the resulting automaton is an LWAA: for any locations g'y and ^ 5 ^, the defini¬ 
tion of 5(^y) ensures that ^ holds only if % is a subformula of \p. Correctness 
proofs for the construction can be found in [|^ ^ |; conversely, Rohde [ jl^ ] and Loding 
and Thomas Q] prove that for every LWAA ^ there is an LTL formula such that 


The number of subformulas of an LTL formula tp is linear in the length of (p, and 
therefore so is the size of .Ty. However, in practice the automaton should be minimized 
further. Clearly, unreachable locations can be eliminated. Moreover, whenever there is 
a choice between activating sets X or T of locations where X <ZY from some location q, 
the smaller set X should be preferred, and Y should be activated only if X cannot be. As 
a simple example, we can define 5(^Fp) = p V Aq^p) instead of 8 (^Fp) = p'^qvp- 
Figure ^ shows two linear weak alternating automata obtained from LTL formulas 
by applying this construction (the locations in F are indicated by double circles). 

Further minimizations are less straightforward. Because the automaton structure 
closely resembles the structure of the LTL formula, heuristics to minimize the LTL 
formula [Q,|^ are important. Fritz and Wilke 0 discuss more elaborate optimizations 
based on simulation relations on the set Q of locations. 


3 Deciding language emptiness for LWAA 

In general, it is nontrivial to decide language emptiness for alternating ©-automata, due 
to their intricate combinatorial structure: a configuration consists of a set of automaton 
locations that have to “synchronize” on the current input state during a transition to a 
successor configuration. The standard approach is therefore based on a translation to 
non-deterministic Biichi automata, for which emptiness can be decided in linear time. 
Unfortunately, this translation is of exponential complexity. 

















Linear weak alternating automata have a simpler combinatorial structure; the tran¬ 
sition graph contains only trivial cycles, and therefore a run dag is non-accepting only 
if it contains a path that ends in a self-loop at some location q G F. This observation 
gives rise to the following non-emptiness criterion for LWAA, which is closely related 
to Theorem 2 of 0 : 

Theorem 4. Assume that = (Q,qo,5,F) is an LWAA. Then l{si) ^ % if and only if 
there exists a finite run dag A = eo^l • • • with configurations cqci ... c„+i over a finite 
sequence sq. . .s„ of states and some k <n such that 

1. Cj^ — and 

2. for every q G F, one has {q,q) f. ejfor some j where k < j < n. 

Proof “If”: Consider the infinite dag A' = eo ■ ■ ■ ... e„)“. Because Ck = c„+i, it 

is obvious that A' is a run dag over a = sq.. {sk.. .Sn)^', we now show that A' is 
accepting. Assume, to the contrary, that 7t = popi ... is some infinite path in A' such 
that Pi G F holds for infinitely many i G N. Because is an LWAA, there exists some 
m gN and some q G Q such that pi = q for all i > m. It follows that [q^q) Get holds for 
all i > m, which is impossible by assumption (2) and the construction of A'. Therefore, 
A' must be accepting, and 

“Only if”: Assume that a = so^i ■ ■ ■ G X (j?), and let A' = eoei... be some accepting 
run dag of J4. over a. Since Q is finite. A' can contain only finitely many different 
configurations co,ci,..., and there is some configuration c G Q such that c, = c for 
infinitely many i G N. Denote by /q < < ... the ©-sequence of indexes such that 

Cij = c. If there were some q GF such that q G ej{q) for all j > io (implying in particular 
that q G cj for all j > io by Def. |]) then A' would contain an infinite path ending in a 
self-loop at q, contradicting the assumption that A' is accepting. Therefore, for every 
q G F there must be some jq > io such that {q,q) ^ ej^. Choosing k = io and n = — 1 

for some m such that im > jq for all (finitely many) q G F,we obtain a finite run dag A 
as required. □ 

Observe that Thm. ^requires to inspect the transitions of the dag and not just the 
configurations. In fact, a run dag may well be accepting although some location q GF 
is contained in all (or almost all) configurations. For example, consider the LWAA for 
the formula GXF p: the location q^p will be active in every run dag from the second 
configuration onward, even if the run dag is accepting. We now introduce a class of 
LWAA for which it is enough to inspect the configurations. 

Definition 5. An LWAA j? = (Q,qo,5,F) is simple if for all q G F, all q' G Q, all states 
s C 'P, and all X,Y GQ not containing q, if sGX U {q} ^ ?>W) ond sUT |= 8{q) then 
sUA UT 1= ?>{q'). 

In other words, if a co-final location q can be activated from some location q' for 
some state s while it can be exited during the same transition, then q' has an alternative 
transition that avoids activating q, and this alternative transitions activates only locations 
that would anyway have been activated by the joint transitions from q and q'. For simple 
LWAA, non-emptiness can be decided on the basis of the visited configurations alone, 
without memorizing the graph structure of the run dag. 



Fig. 3. Illustration of the construction of Thm. 


Theorem 6. Assume that ^ = {Q,qo,5,F) is a simple LWAA. Then L(Ji) ^ 0 if and 
only if there exists a finite run dag A = eo^l • • • with configurations cqci ... Cn+i over 
a finite sequence sq. . .s„ of states and some k <n such that 

1. Cj^ — and 

2. for every q G F, one has q 0 cjfor some j where k < j <n. 

Proof “If”: The assumption q ^ Cj and the requirement that dom(ey) C Cj imply that 
{ci,q) ej, and therefore follows using Thm. 

“Only if”: Assume that obtain a finite run dag A satisfying the conditions 

of Thm. ^ and let / = « — A: + 1 denote the length of the loop. “Unwinding” A, we 
obtain an infinite run dag eoei... over the temporal structure iO'Si • • • whose edges are 
= ^k+di-i) mod/) for i > n, and similarly for the states i, and the configurations c,. 
W.l.o.g. we assume that the dag contains no unnecessary edges, i.e. that for all e,- G A, 
{q,q') G e, holds only if q ^ q'. 

We inductively construct an infinite run dag A' = e'^e\... with configurations CqCj ... 
such that c'l C c, as follows: let Cq = co and for i < k, let eJ = e, and = c,+i. For 
i > k, assume that c\ has already been defined. Let Fi denote the set of q ^ c'^fiF such 
that [q^q) ^ e, but q G eiic'f), and for any q G Ft let Q'^ denote the set of locations 
q' G c[ such that {q'^q) G e,- and let = efq). Because J? is simple, it follows that 
Si U {efq') \ {^}) yjYq\= 5{q'), for all q G Fi and q' G Q'q. We let e\ be obtained from the 
restriction of e, to cJ by deleting all edges {q',q) for qGFi and adding edges {q',q") for 
all q' G Q'q and q" G Yq, for q G Fi. Clearly, this ensures that C c,+i holds for the 
resulting configuration and that c'+inF) = 0 . 

For any q G Fi, the definition of an LWAA and the assumption that qfiYq ensure 
that cf q holds for all q" G Yq, as well as q q' for all q' G Q'q. In particular, we 
must have q" ^ q' for all q" G Yq and q' G Q'q, and therefore eJ does not contain more 
self loops than e,: for all p gQ, we have {p,p) G eJ only if {p,p) G e,. 

Consequently, A' is an accepting infinite run dag such that for every q G F there 
exists some j >k such that qfc’y It now suffices to pick some n > k satisfying the 
conditions of the theorem; such an n exists because F is finite and A' can contain only 
finitely many different configurations. □ 

Fig. I illustrates two accepting run dags for a simple LWAA: the dag shown above 
satisfies the criterion of Thm. ^ although the co-final location corresponding to Fp 









remains active from the second configuration onward. The dag shown below is the result 
of the transformation described in the proof, and indeed the location Fp is infinitely 
often inactive. 

We now show that the LWAA J?(p for an LTL formula (p is simple provided tp does 
not contain subformulas X(x U %'). Such subformulas are easily avoided because X 
distributes over U. Actually, our implementation exploits the commutativity of X with 
all LTL connectives to rewrite formulas such that no other temporal operators are in the 
scope of X; this is useful for preliminary si mplif ications at the formula level. Also, the 
transformations described at the end of Sect. ^ ensure that the LWAA remains simple. 


Theorem 7. For any LTL formula tp that does not contain any subformula X{% U yf), 
the automaton is a simple LWAA. 


Proof Let = {Q,q^,b,F) and assume that q G F, q' G Q, and X,Y C Q are as in 
Def. H in particular sUX U {^} |= 8 (^') andsUT ^ 5(^). The proof is by induction on 
\|/ where q' = 


= (-i)v : b{q') = tp, so we must have s \= ?){q'), and the assertion iUXUT \= ?>{q') 
follows trivially. 

tp = ® V} : ?>{q') = 5(?5 c) the assertion follows easily from 

the induction hypothesis. 

tp = Xx ; 5(^0 = assumption x is not an U formula, so ^ F. In particular, 

q^ 7 ^ q, and so the assumption sUX U {q} ^ 8(^0 implies that s UX |= 8 (^'), and 
the assertion s UX UT \= ?>{q') follows by monotonicity. 
tp = xUx': ?>{q')=b{qy.) V (?>{qx) Aq'). In case iUX U {q} |= ?>{qy^), the induction 
hypothesis implies iUX UT [= 8 (q'j^/), hence also iUXUT \= ?>{q'). 

If iUXU {q} 1= ?>{qf) Aq', we consider two cases: if q = q' then iUT |= ?>{q') 
holds by assumption. Moreover, iUX UT \= ?){qx) holds by induction hypothesis, 
and the assertion follows. 

Otherwise, we must have q' G X. Again, sUX UT ^ 5(?z) follows from the induc¬ 
tion hypothesis, and since q' G X it follows that s UX UT ^ 5(^x) Aq’- 
\p = X V X^: 8(^0 = 8 (^x') ^ f*' particular, s UX U {q} \= ?>{qx')^ and we 

obtain s UX UT ^ ^y induction hypothesis. 

If sUX U {q} ^ 8 (q'),), we similarly obtain sUX UT |= ?>{qx)- Otherwise, note that 
qf^cf because qGF and q' ^F (since it is not an U formula). Therefore, we must 
have i UX \= q', and a fortiori i UX UT \= q', completing the proof. □ 


Let us note in passing that simple LWAA are as expressive as LWAA, i.e. they 
also characterize the class of star-free (B-regular languages: from we know that 

for every LWAA A there is an LTL formula (p^j such that i((pj?) = l(a). Since X 
distributes over U, can be transformed into an equivalent formula tp' of the form 
required in Thm. ^ and is a simple LWAA accepting the same language as . 


4 Model checking algorithm 

We describe a model checking algorithm based on the nonemptiness criterion of Thm. ^ 
and we discuss some design decisions encountered in our implementation. The algo¬ 
rithm has been integrated within the LTL model checker Spin, and we present some 
results that have been obtained on benchmark examples. 



procedure Visit (s, C) : 
let c = {s,C) in 

inComp[c] := false; root[c] := c; labels[c] := 0; 
cnt[c] := cnt; cnt := cnt+1; seen := seen U {c}; 
push (c, stack); 

forall c' = (s',C') in Succ{c) do 

if c' ^ seen then Visit (s', C') end if; 
if ^inComp[c'] then 

if cnt [root [c'] ] < cnt [root [c]] then 

labels [root[c']] := labels[root[c']] U labels[root[c]]; 
root [c] := root [c'] 
end if; 

labels[root[c]] := labels[root [c]] 

U (f_lwaa \ C); // f_lwaa = co-final locations 
if labels [root [c] ] = f_lwaa then raise Good_Cycle end if; 

end if; 
end forall; 

if root [c] =c then 
repeat 

d := pop(stack); 
inComp[d] := true; 
until d=c; 
end if; 
end let; 
end Visit; 

procedure Check: 

stack := empty; seen := 0; cnt := 0; 

Visit(init_ts, {init_lwaa}); // start with initial location 

end Check; 


Fig. 4. LWAA-based model checking algorithm. 


4.1 Adapting Tarjan’s algorithm 

Theorem ^ contains the core of our model checking algorithm: given the simple LWAA 
corresponding to the negation ^tp of the property to be verified, we explore the 
product of the transition system T and the graph of configurations of search¬ 
ing for a strongly connected component that satisfies the acceptance condition. In fact, 
in the light of Thm. ^ a simple LWAA j? can alternatively be viewed as a symbolic 
representation of a GBA whose locations are sets of locations of , and that has an 
acceptance condition per co-final location of . 

The traditional CVWY algorithm [^] for LTL model checking based on Biichi au¬ 
tomata has been generalized for GBA by Tauriainen [plj], but we find it easier to adapt 
Tarjan’s algorithm [ |l^ for finding strongly connected components in graphs. Figure ^ 
gives a pseudo-code representation of our algorithm. The depth-first search operates 
on pairs (s,C) where s is a state of the transition system and C is a configuration of the 
LWAA. Given a pair c = (s, C), the call to Succ computes the set succq- (s) x succjf (s,C) 
containing all pairs c' = (s',C') of successor states s' of the transition system and suc¬ 
cessor configurations C' of the LWAA, i.e. those C' which satisfy sUC' ^ 5(^) for all 
q GC. Tarjan’s algorithm assigns a so-called root candidate root to each node of the 
graph, which is the oldest node on the stack known to belong to the same SCC. 


In model checking, we are not so much interested in actually computing SCCs: it is 
sufficient to verify that the acceptance criterion of Thm.^is met for some strongly con¬ 
nected subgraph (SCS). To do so, we associate a labels field with the root candidate of 
each see that accumulates the locations that have been found absent in some pair 
(i,C) contained in the See. Whenever labels is found to contain all co-final states of 
the LWAA (denoted by f_lwaa), the SeS must be accepting and the search is aborted. 
Note that we need to maintain two stacks: one for the depth-first search recursion, and 
one for identifying Sees. 

If an accepting SeS is found, we also want to produce a counter-example, and Tar- 
jan’s algorithm is less convenient for this purpose than the eVWY algorithm whose re¬ 
cursion stack contains the counter-example once a cycle has been detected. In our case, 
neither the recursion stack nor the SCC stack represent a complete counter-example. 
A counter-example can still be obtained by traversing the nodes of an accepting SCS 
that have already been visited, without re-considering the transition system. We add 
two pointers to our node representation in the SCC stack, representing “backward” and 
“forward” links that point to the pair from which the current node was reached and to 
the oldest pair on the stack that is a successor of the current pair. Indeed, one can show 
that the subgraph of nodes on the SCC stack with neighborhood relation 

{(c,c^) : c' =forward{c) or c = backward{c')} 

also forms an SCS of the product graph. A counter-example can now be produced by 
enforcing a visit to all the pairs that satisfy some acceptance condition. 

4.2 Computation of successor configurations 

The efficient generation of successor configurations in succfi (s,C) is a crucial part of 
our algorithm. Given a configuration C C g of the LWAA and a state s of the transition 
system (which we identify with a valuation of the propositional variables), we need to 
compute the set of all C' such that sUC' ^ 8{q) holds for all q ^C. Moreover, we are 
mainly interested in finding minimal successor configurations. 

An elegant approach towards computing successor configurations makes use of 
BDDs [[J. In fact, the transitions of an LWAA can be represented by a single BDD. 
The set of minimal successor configurations is obtained by conjoining this BDD with 
the BDD representations of the state s and the source configuration C, and then ex¬ 
tracting the set of all satisfying valuations of the resulting BDD. Some experimentation 
convinced us, however, that the resulting BDDs become too big for large LTL formulas. 
Alternatively, one can store BDDs representing 8{q) for each location q and form the 
conjunction of all 5(^) for q&C. Again, this approach turned out to consume too much 
memory. 

We finally resorted to using BDDs only as a representation of configurations. To do 
so, we examine the hyperedges of the transition graph of the LWAA, which correspond 
to the clauses of the disjunctive normal form of h{q). For every location q G C, we 
compute the disjunction of its enabled transitions, and then take the conjunction over 
all locations in C. We thus obtain 

succ;i{s,C) = A( V (A^)) 

t€enabled{s,q) 


as the BDD representing the set of successor conhgurations, where enabled{s,q) de¬ 
notes the set of enabled transitions of q for state s, i.e. those transitions t for which 
sVJQ \=t. Although this requires pre-computing a potentially exponentially large set of 
transitions, this approach appears to be fastest for BDD-based calculation of successor 
nodes. 

We compare this approach to a direct calculation of successor conhgurations that 
stores them as a sorted list, which is pruned to remove non-minimal successors. Al¬ 
though the pruning step is of quadratic complexity in our implementation (it could be 
improved to 0{n\Qgn) time), experiments showed that it pays off handsomely because 
fewer nodes need to be explored in the graph search. 

4.3 Adapting Spin 

Either approach to computing successors works best if we can efficiently determine 
the set of enabled transitions of an LWAA location. One way to do this is to generate 
C source code for a given LWAA and then use the CPU arithmetics. The Spin model 
checker employs a similar approach, albeit for Biichi automata, and this is one of rea¬ 
sons why we adapted it to use our algorithm. 

Spin is generally considered as one of the fastest and most complete tools 

for protocol verihcation. For a given model (written in Promela) and Biichi automa¬ 
ton (called “never-claim”), it generates C sources that are then compiled to produce a 
model-specihc model checker. Spin also includes a translation from LTL formulas to 
Biichi automata, but for our comparisons we used the LTL2ba tool due to Gastin and 
Oddoux [^, which is faster by orders of magnitude for large LTL formulas. 

Our adaptation, called LwaaSpin, adds the generation of LWAA to SPIN, and mod- 
ihes the code generation to use Tarjan’s algorithm and on-the-fly calculation of succes¬ 
sor conhgurations. This involved about 150 code changes, and added about 2600 lines 
of code. Spin includes elaborate optimizations, such as partial-order reduction, that 
are independent of the use of non-deterministic or alternating automata and that can 
therefore be used with our implementation as well. We have not yet adapted Spin’s 
optimizations of memory usage such as bitstate hashing to our algorithm, although we 
see no obstacle in principle to do so. 

4.4 Experimental results 

Geldenhuys and Valmari [|^ have recently proposed to use Tarjan’s algorithm, but for 
non-deterministic Biichi automata, and we have implemented their algorithm for com¬ 
parison. We have not been able to reproduce their results indicating that Tarjan’s al¬ 
gorithm outperforms the CVWY algorithm on nondeterministic Biichi automata (their 
paper does not indicate which implementation of CVWY was used). In our experiments, 
both algorithms perform head-to-head on most examples. We now describe the results 
for the implementation based on LWAA. 

For most examples, the search for an accepting SCS in the product graph is slower 
than the runtime of the model checker produced by Spin after LTL2ba has generated 
the Biichi automaton. However, our algorithm can be considerably faster than gener¬ 
ating the Biichi automaton and then checking the emptiness of the product automaton. 


for large LTL formulas. However, note that both Spin and our implementation use 
unguided search, and we can thus not exactly compare single instances of satisfiable 
problems. 

Large LTL formulas are not as common as one might expect. Spin’s implementation 
of the CVWY algorithm can handle weak fairness of processes directly; such conditions 
do not have to be added to the LTL formula to be verified. We present two simple and 
scalable examples: the dining philosophers problem and a binary semaphore protocol. 

For the dining philosophers example, we want to verify that if every philosopher 
holds exactly one fork infinitely often, then philosopher 1 will eventually eat: 

G F hasFork\ A ... A G F hasFork„ =► G F eati 

The model dinphiln denotes the situation where all ii philosophers start with their 
right-hand fork, which may lead to a deadlock. The model dinphilni avoids the dead¬ 
lock by letting the «-th philosopher start with his left-hand fork. 

For the binary semaphore example we claim that if strong fairness is ensured for 
each process, all processes will eventually have been in their critical section: 

(GFcanenferi GFenferi) A... A (GFcanenfer„ => GFenfer„) Fallcrit 

By sfgoodn, we denote a constellation with n processes and strong fairness as¬ 
sumed for each of them, while sfbadn denotes the same constellation, except with 
weak fairness for process p„, which will allow the process to starve. 

Table [| contains timings (in seconds) for the different steps of the verification pro¬ 
cess for Spin 4.1.1 and for our LwaaSpin implementation. Spin requires successive 
invocations of ltl2ba, spin, gcc and pan; LWAASPIN combines the first two stages. 
The times were measured on an Intel Pentium® 4, 3.0 GHz computer with 1GB main 
memory running Linux and without other significant process activity. Entries “o.o.t.” 
indicate that the computation did not finish within 2 hours, while “o.o.m.” means “out 
of memory”. 

We can see that most of the time required by SPIN is spent on preparing the pan 
model checker, either by calculating the non-deterministic Biichi automata for the din¬ 
ing philosophers, or by handling the large automata sources for the binary semaphore 
example. LwaaSpin significantly reduces the time taken for pre-processing. 

The sizes of the generated automata are indicated in Tab. “States seen” denotes 
the number of distinct states (of the product automaton) encountered by LwaaSpin 
using the direct successor configuration calculation approach. It should be noted that 
the Biichi automata for the dining philosophers example are very small compared to 
the size of the formula, and are in fact linear; even for the dinphillOi case, the au¬ 
tomaton contains only 12 locations. This is not true for the semaphore example: the 
Biichi automaton for sfgood7 contains 3025 locations and 23391 transitions. Still, one 
advantage of using LTL2ba is that a Biichi automaton that has been computed once 
can be stored and reused; this could reduce the overall verification time for the dining 
philosophers example where the same formula is used for both the valid and the invalid 
model. 

We can draw two conclusions from our data: first, the preprocessing by Iwaaspin 
uses very little time because we do not have to calculate the Biichi automaton (although 


Problem 

Counter¬ 

example 

Spin 

LwaaSpin 

ltl2ba 

spin 

gcc 

pan 

Iwaaspin 

gcc 

pan 

dinphil6 

yes 

0.431 

0.019 

0.601 

0.079 

0.019 

0.579 

0.163 

dinphilS 

yes 

35.946 

0.02 

0.671 

0.133 

0.027 

0.818 

0.166 

dinphillO 

yes 

3611.724 

0.025 

0.767 

1.642 

0.057 

1.899 

0.170 

dinphill2 

yes 

0.0.t. 




0.141 

6.644 

0.206 

dinphill4 

yes 





0.499 

28.082 

0.431 

dinphill5 

yes 





0.972 

o.o.m. 


dinphil6i 

no 

0.431 

0.024 

0.639 

0.244 

0.020 

0.616 

0.569 

dinphilSi 

no 

35.946 

0.021 

0.711 

7.309 

0.028 

0.861 

20.177 

dinphillOi 

no 

3611.724 

0.025 

0.807 

722.874 

0.070 

2.623 

623.760 

dinphill li 

no 

0.0.t. 




0.099 

3.438 

o.o.m. 

sfbad6 

yes 

1.904 

0.912 

7.284 

0.025 

0.066 

2.211 

1.312 

sfbad? 

yes 

27.674 

42.525 

o.o.m. 


0.179 

7.423 

7.848 

sfbadS 

yes 





0.784 

43.472 

7.000 

sfbad9 

yes 





2.627 

o.o.m. 


sfgoodb 

no 

2.292 

17.329 

27.608 

2.193 

0.064 

2.227 

2.540 

sfgood? 

no 

36.306 

417.485 

o.o.m. 


0.357 

8.214 

15.940 

sfgoodS 

no 





0.718 

42.688 

140.130 

sfgood9 

no 





2.634 

o.o.m. 



Table 1. Comparison of Spin and LwaaSpin (BDD-less successor calculation) 


Problem 

Successor calculation 

LWAA 

Biichi 

States 

seen 

BDD 

direct 

Locations 

Transitions 

Locations 

Transitions 

dinphil6 

0.834 

0.761 

10 

207 

8 

36 

105 

dinphilS 

1.194 

1.011 

12 

787 

10 

55 

119 

dinphillO 

2.803 

2.126 

14 

3095 

12 

78 

133 

dinphil6i 

1.291 

1.205 

10 

207 

8 

36 

46165 

dinphilSi 

21.802 

21.021 

12 

787 

10 

55 

1.2 ■ 10'’ 

dinphillOi 

643.006 

626.453 

14 

3095 

12 

78 

1.5 ■ 10' 

sfbad6 

16.664 

3.589 

26 

4140 

252 

1757 

137882 

sfbad7 

354.874 

15.461 

30 

16435 

1292 

8252 

597686 

sfgood6 

32.261 

4.831 

26 

4139 

972 

5872 

221497 

sfgood7 

115.539 

24.511 

30 

16434 

3025 

23391 

872589 


Table 2. Comparison of successor calculation, and sizes of the automata. 


strictly speaking our implementation is also exponential because it transforms the tran¬ 
sition formulas into disjunctive normal form). This makes up for the usually inferior 
performance of our pan version. It also means that we can at least start a model check¬ 
ing run, even for very large LTL formulas, in the hope of finding a counter-example. 
Second, we can check larger LTL formulas. Ultimately, we encounter the same diffi¬ 
culties as Spin during both the gcc and the pan phases; after all, we are confronted 
with a PSPACE-complete problem. The pre-processing phase could be further reduced 
by avoiding the generation of an exponential number of transitions in the C sources. 

























































postponing more work to the pan executable. Besides, the bitstate hashing technique as 
implemented in Spin [0 could also be applied to Tarjan’s algorithm. 

Table || also compares the two approaches to computing successor configurations 
described in Sect. The BDD-based approach appears to be less predictable and 
never outperforms the direct computation, but further experience is necessary to better 
understand the tradeoff. 


5 Conclusion and further work 

We have presented a novel algorithm for the classical problem of LTL model checking. 
It uses an LWAA encoding of the LTL property as a symbolic representation of the 
corresponding GBA, which is effectively generated on the fly during the state space 
search, and never has to be stored explicitly. By adapting the Spin model checker to 
our approach, we validate that, for large LTL formulas, the time gained by avoiding the 
expensive construction of a non-deterministic Biichi automaton more than makes up for 
the runtime penalty due to the implicit GBA generation during model checking, and this 
advantage does not appear to be offset by the simplifications applied to the intermediate 
automata by algorithms such as LTL2ba. However, we do not yet really understand the 
relationship between minimizations at the automaton level and the local optimizations 
applied in our search. 

We believe that our approach opens the way to verifying large LTL formulas by 
model checking. Further work should investigate the possibilities that arise from this 
opportunity, such as improving techniques for software model checking based on pred¬ 
icate abstraction. Also, our implementation still leaves room for performance improve¬ 
ments. In particular, the LWAA should be further minimized, the representation of tran¬ 
sitions could be reconsidered, and the memory requirements could be reduced by clever 
coding techniques. 
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